Why the Financial World Needs to Know Your Customer (KYC)
On December 18 Sila hosted the first of many webinars to come, this time focusing the conversation on Why the Financial World Needs to Know Your Customer (KYC).
Sila co-founder and CEO Shamir Karkal joined Alloy CEO Tommy Nicholas and CRO Laura Spiekerman for a very detailed discussion on:
- Laws & requirements pertaining to KYC
- Why do businesses need to KYC customers?
- How good and bad KYC impacts the user experience (UX)
Watch the replay:
Shamir Karkal: Hello everybody. Thank you for joining us today. This is Shamir Karkal, and I also have Laura Spiekerman and Tommy from Alloy, and this is going to be a fun discussion on KYC.
It might not sound like the most promising topic, but I assure you we are going to make it fun…
Okay, so it looks like people are coming in so maybe we should just go ahead and get started. I’ll start off by doing a little bit of an introduction on myself. My name is Shamir Karkal, I grew up in India, I was a software engineer. I came over to the US, went to business school, worked as a consultant for a while; and then my real introduction to the joys of FinTech regulation, and KYC in particular, started when I founded an online banking startup called Simple, that was in 2009 in New York. My original business plan had us launching in nine months, it actually ended up taking more like two and a half years; so, needless to say, financial regulation and FinTech startups are a little bit complicated.
Of course, one of the most complicated things is KYC and we will dive into that a lot more. Simple itself was acquired by the Spanish bank called BBVA in 2014. And then I went to work for BBVA, building a FinTech API platform called BBVA Platform.
Did that for a couple of years, and then left late last year and now I’m working on a new FinTech API startup called Sila Money. You can check us out at silamoney.com. But, really you know this webinar isn’t about Sila, so much as it is about KYC.
I originally first ran into KYC when we were doing KYC at Simple; and, we relied on our partner bank, Bancorp KYC. And then, we built our own KYC system. And then I built another KYC system at BBVA. So I have a little bit of familiarity with KYC, and ran into Laura and Tommy a few years ago, when they were beginning to work on Alloy. I wish I had invested in them back then, but I didn’t. But I still want-
Tommy Nicholas: Did we ask?
Shamir Karkal: I don’t know if you asked or not, but I wish I had-
Tommy Nicholas: I think we should have asked and then you should have said yes. I think we both missed on that.
Shamir Karkal: I was with BBVA and doing investments while I was working there, which is super hard. I knew very few in that period of time, which is, you know-
Tommy Nicholas: We probably thought you were too cool to invest in us anyway; but we didn’t, we should have known.
Shamir Karkal: And I thought you guys were too cool to take my money.
Tommy Nicholas: We’re not too cool for anybody’s money.
Shamir Karkal: Exactly. So let’s see … I was the first compliance officer at Simple, when it was three of us in the company. We fixed that very quickly; but, for a while. And I started off doing compliance training for all my engineering hires, by explaining to them that the first law that regulated KYC in banking in the US was passed in 1970, and it was the Bank Secrecy Act. And in 2002, Congress passed the Patriot Act, which also regulated KYC, AML and CIP for banking and financial institutions in general in the US.
In between 1970 and 2002, I think there were another 12 laws, or acts of Congress, that had something to do with KYC. So there’s literally hundreds if not thousands of pages of law on the topic of KYC, AML and CIP in financial institutions.
So, if you’re building a FinTech startup and you’re wondering why you need to do KYC; it’s literally the law. And the reason you do it is because you don’t like going to jail. To put a fine point on it, under the Patriot Act, penalty for a knowing violation of KYC, AML requirements under the Patriot Act, is a $500,000 fine and three years in jail; and, the penalty for an unknowing violation, is a $300,000 fine and only one year in jail.
So if you don’t know that you don’t need to do KYC, and that’s why you don’t do it; it’s only about a year in jail. So-
Tommy Nicholas: Just a year?
Shamir Karkal: Just one year.
Tommy Nicholas: Just one year.
Shamir Karkal: Maybe you can even take like a deal with the prosecutor, what do I know?
Tommy Nicholas: Who doesn’t have $300,000 and one year lying around?
Shamir Karkal: Exactly. So, it is a heavily, heavily regulated space. KYC is not just a good idea, it is the law; and, in case you are wondering what KYC means, it stand for “Know Your Customer.” If you’re wondering what CIP means, its a “Customer Identification Program.” And AML is “Anti-Money Laundering.”
At this point I think it’s best if I shut up and why don’t we hand it over to Laura, to introduce herself and tell us: How on earth did you get into this space Laura?
Laura Spiekerman: Sure, well actually, I’ve Tommy to blame for about half of it. Sadly.
Before I got involved with Tommy and Charles, who’s our CTO and our third co-founder, my first foray into FinTech was in 2011, I think. When I was the first employee at a company called Kopo Kopo. Which is, back when we started it, a software system to allow small/medium size businesses to integrate mobile payments in East Africa. So at the time, there was this dominant system called M-Pesa which allowed people to do P2P payments over the telco rails effectively.
So it started with air time being transferred and then it became money being transferred; just over simple feature phones. And we saw the opportunity to allow merchants to disperse via mobile money and collect via mobile money; we built this system to do that. Eventually, many years later, now it’s merchant cash advance companies, sort of in that square capital model.
[inaudible] had invested in both companies and thought it was a good model, and so that was one of the reasons that we ended up doing what we’re doing.
I moved to investing after that. So I moved back to California, decided to invest in emerging markets investments; and largely that was financial services oriented. At the time the big question I think we were looking at, is how do you solve the distribution problem for, underserved populations. So mobile money was obviously a huge theme of that; but, then eventually towards the end of that, so 2013/2014/2015, it was less around distribution and really more around identity. So what were the primary blockers to getting financial services?
It was no longer just, “Do you have a phone or not? Do you have internet or not? Do you have a bank account or not?” It was like, “How do you even get a bank account?” Even if you have all the tools, without an identity you can’t do that.
And so, that was kind of part of the first step into KYC and digital identity for me. And then meeting Tommy and Charles, when we were at an ACH payment startup, we started looking at onboarding specifically; and seeing, as you’re trying to onboard … get funds into a brokerage account or a Bitcoin wallet, this is 2014 when that was sort of a bigger issue, we saw that ACH was one part of it, but an even bigger part in many cases was that compliance piece.
So fulfilling your KYC and AML requirements, without putting your users through a really onerous and burdensome process. We left that company in early 2015 and started Alloy that summer. And so that was the early days, we really thought this was just a FinTech problem we were solving. We talked to the folks at Simple bank, who solved this in a really elegant way; and a couple of other people we knew, who had started working on this problem and realized this was something we should build for everyone. And eventually we did too.
Shamir Karkal: Really? So that was very interesting Laura, I had … Did I know where you worked at before Kopo Kopo?
Laura Spiekerman: I don’t know.
Shamir Karkal: You know Ben Lyon?
Laura Spiekerman: Yep. It was me Ben and Dylan at the time, just the three of us.
Shamir Karkal: Earlier this year … I mean I feel like I’ve known Ben forever. I feel like I’ve known you forever, I just didn’t realize … I should’ve known that!
But I actually met the CTO of Kopo Kopo in Kenya earlier this year when I was over there. It was interesting, still a great company, still working away. Awesome work on that one, and much more to come at Alloy.
But before we … I have a bunch of questions for you, but before that; Tommy, tell us about yourself?
Tommy Nicholas: I’m not going to tell you as much about myself as Laura told you about herself, because herself is more interesting. For me, this story is pretty simple, which is that I graduated from college with a history and African Americans studies degree; and as you know, that is the most in demand degree to hire … I mean absolutely everybody is trying to hire history and African American studies majors. So, given the multitude of job offers that I had coming out of college, which amounted to negative 20, I decided to start a technology company; and, essentially did a couple of tech related things, some that worked and some that didn’t, and got recruited to be Head of Product at a payments company where I met Laura. And Laura and I shared one particular … I mean, I’m sure we have a lot in common; but, from a professional standpoint, we shared one particular goal, which is that we really thought that people’s lives could improve with better access to financial products. And we thought that the primary blocker to people getting access to new financial products was that financial products were very challenging to build.
And, more specifically, the people who can build new financial products, tend to be shoddy people. Quite literally I believe this to be a very huge problem, which is that, if you really want to build a new financial product, you likely need to be a banker or some other kind of thing which might be highly correlated with being a bad person. It doesn’t mean you are a bad person, but it’s probably highly correlated; and so, there’s the world of people who might have really creative … Let’s even put aside morality … people who have really creative or good ideas, versus people who probably don’t, and are just looking to extract rents. The people who are looking to extract rents, are the people who can build financial products and the people with really creative ideas are the people who can’t build financial products.
On the other side, on the consumer side, the people who can’t access financial products for the most part, just writ large, are people who can’t be verified, can’t have their identities verified easily or can’t get a straightforward path to verifying their identity.
If you put those two things together, what our thesis has been at Alloy, is that the most important thing we could build to help other people build financial products, was the best identity verification, anti-fraud and Know Your Customer system; that was easy to integrate, that would work really well and that would verify the most good users and deny the most fraudulent users. So you would really have the strong base on which to build a product.
On the other side, the benefit that would come to consumers if we really got this right, which was that more things would get built, but that they would be accessible by more people. It’s not a small difference on both sides. It’s double digit percentages more access, and many orders of magnitude easier to build.
And so I think that adds up to a pretty big difference, but it’s a difference that is going to take place over a very long period of time and one where I hope also … which I think a lot of what we’ll talk about … one where I hope a lot of infrastructure changes besides just us building better technology; I hope a bunch of infrastructure changes on technology and data availability level, but also I hope a lot of legal infrastructure changes and we’ll talk a lot more about that. But the legal infrastructure around identity is totally screwed up and needs to change dramatically, and I hope we can be a part of that.
Shamir Karkal: Awesome. So, before we kind of dive into all of these fascinating topics that you hit on there Tom, [inaudible] that KYC is not just a good idea, it’s the law and you need to do it.
What are the different ways in which you can [inaudible] in the U.S. and what are the different ways of doing it offline, versus the different ways of doing it online? And why isn’t it that we have phone verification? You know, every online startup out there always verifies your email, or your phone number, sometimes both.
Why isn’t that good enough? And why do you need to do so much more in finance, to Know Your Customer?
Tommy Nicholas: I’ll try to keep this to … because there’s a million reasons, actually. But I’ll try to keep it to the most discreet list I can.
The first reason is that it’s the law; so, the Bank Secrecy Act … People say the Bank Secrecy Act, I’ll just leave it at that. But the Bank Secrecy Act as amended by the Patriot Act, and all these other things, specifies that financial institutions in the United States need to have an identity document, which actually is a Social Security number counts. So, Social Security number or drivers license or passport, date of birth, name and valid mailable address, on file.
And actually the reason for this is multifaceted, but the easiest way to think about it is, the government wants to be able to come and say, “Heres a list of names, dates of birth, SSNs, drivers licenses and addresses that we think belong to terrorists. It won’t be a complete list, it might just be a name and an address, or it might be a date of birth and an SSN: we don’t know what we’re going to have. But, we need to be able to give this to you, and then you need to be able to tell us whether you’re doing business with anybody on this list.”
And that means that you have to, have, all of those things, verified; and, you need to make sure that the person who provided them to you, is actually the person who owns them. And it’s that second piece that is really tricky. But what is really good news about that second piece, is that you should be doing that anyway.
Right? Because you don’t actually want to be doing business with people who are providing you somebody else’s SSN right a sign-up. You don’t actually want to be doing business with people who are fully … Oh, anonymous might be okay, I guess we could talk about that; but you definitely don’t want to be doing business with people trying to open accounts at your institution, or trying to send payments, or trying to do whatever under somebody else’s name: because I can’t think of a particularly good reason why you would do that.
I can think of a reason you might wasn’t to be anonymous, that’s legitimate, but definitely not under somebody else’s name. So, there is this overlapping question of: “What should you be doing anyway? Versus: “What burden are you mandating on people that might not be a particularly good idea? And I think the valid, mailable address is probably the most obvious one. Which is, what if you’re building a fully digital financial service; why can’t you consider a email address that is verified as belonging to a person, just as good as the mailing address because at the end of the day we’re not mailing anything to them, right? We’re not showing up at their home address, to do anything. But because of that BSA reason, which is they might only have the name and the address for the person, they need you to verify that information: so you’re stuck.
Shamir Karkal: And it’s interesting that everyone who uses data that you’re required to hold on to customers, is a potential barrier to onboarding customers. What about customers who don’t have an SSN? And actually one of them might be legal US citizens, who don’t have an SSN. That is possible.
It might also be undocumented immigrants and all sorts of other classes of people who-
Tommy Nicholas: What if I don’t have a mailing address that I receive mail at because I live in the middle of nowhere in a grid system that’s not totally, fully baked out and that instead I get a PO Box to send my mail to? Well now, PO Box is not a valid address. It’s not written in the law, but nobody considers it a valid address because that’s what fraudsters use to commit fraud and it’s just too high of a signal to be somebody doing money laundering or committing fraud.
Okay, but what if my only mailable address is a PO Box; and that’s a real thing. We’ve even had bank executives with some of the sort of middle market banks that we work with that are more in the middle of the country that have had that be their own personal circumstance.
What if you’ve moved recently and there’s no way to actually … it’s not on your drivers license, it’s not on your phone bill; there’s no way to actually verify that address. That’s the case for our CTO, he just moved and even signing up for our customers of ours products. He has no way to verify to them that he’s providing a valid address because he doesn’t have a phone bill, he lives with somebody else, it’s not in his credit report.
So what I there is no physical way to verify that information? Now I can’t have a credit card? Now I can’t have a checking account to hold my money? Like, when you think about the constraint in that way it’s a little bit ridiculous. So I can’t provide a document about the physical address of where I live; which nobody else in the world needs. So I can’t put my money in a FDIC-insured savings account?
If you were to have written down that constraint when they were making the BSA, they would’ve said, “Well that’s certainly off, we can’t have that. We’ve got to do something better than this.” But instead, here we are.
Shamir Karkal: Completely. A part of that is the outcome of having layers and layers of law on top of each other over decades, while the economy and the way people live their lives has changed dramatically.
Tommy Nicholas: And the people who were supposed to be serving has changed dramatically. I think, to some extent, this wasn’t as fundamental of an issue when you had theoretically … right, this was never true … when you had bank branches on every corner and that was the expansion of bank branches was going quickly.
So the idea was everyone was close enough to a bank branch where you could sort this out. And maybe signing up for accounts over the phone, or in other ways it was kind of speculative. And then second of all, the idea that you would want to create laws that … like the ideas that you would have the trade-off of stopping money laundering or serving poor people with financial services products that you would choose serving poor people with financial products. I don’t think there’s any evidence that that was an idea that people held in their minds as like an option until, the last ten years where it became more of a movement. I’m not saying that people became better people, it just became more of a movement … it became things of which we could name a bunch, like the Omidyar Network, or … I don’t know, there’s a bunch of like … like Imprint Capital where Laura worked, and there are a whole bunch of these people pushing this idea now, but I don’t think that was the idea when they were making the BSA; or certainly not when they were making the Patriot Act. We were all around when that was happening, and that was not what people were talking about.
Shamir Karkal: Yeah, and a lot of the focus back then was on money laundering and counter-financing of terrorism; and, kind of the stated goals of some of those laws, they may have achieved their goals, but they have a lot of unintended consequences. One of them being that, you know, picture metric, but somewhere between 10 and 20% of the US population is either unbacked or underbacked; which means, they typically don’t have checking accounts. And, part of the reason is that it is they don’t have … something about the fields of data that they need to sign-up for checking account, is screwed up in some way.
And, it’s homeless people. It’s undocumented immigrants. It’s people who move a lot. My best story on this was, when I was working at BBVA, the … BBVA is a large Spanish bank. It’s global. They have operations in 30 different countries, but really like a major presence in 11, including the US; and, they decided to take, I think the guy was number two in Turkey, and move him to be the CEO of the US branch.
This is something that global corporations do all the time, shuffle around executives. I know the guy, actually lived and worked in the US for a long time, and he was great guy; Onur is his name, he is now actually the CEO of the whole group. But when he was moved to the US, the CEO of BBVA campus in the US, and he could not get an account at the bank that he was the CEO of.
It took about, I think it took almost two months for the compliance and legal teams that reported to him, to figure out how they could get him an account at his own bank, right? And it was hilarious. The FDIC and the bank board and everybody else was fine with him being CEO, just getting him an account was hard.
And that’s just-
Laura Spiekerman: The other piece that stands out is like, your not … I can’t remember the statistic, and you probably know it … but we’re catching so little of the money being laundered every year-
Tommy Nicholas: I think it’s 1%.
Laura Spiekerman: Not only do we have all of these unintended consequences for people who are trying to be banked and can be banked; but then we also aren’t really fulfilling a really critical piece of, sort of the point of this legislation.
And so, it doesn’t … Yeah, it’s pretty broken.
Tommy Nicholas: I like to imagine if you went back when they were passing all these laws and you said, “Okay, so heres what’s going to happen: We’re going to basically make it impossible for an entire class of financial services to exist. If you want to build things like, handing out debit cards to homeless people on the street so they can receive payment … Laura and I both were early on, and I’m on the board of a company called “Spread the Vote” where we actually get people physical IDs so that they can vote but also do other things. And one of the main things that they need them for, is they need to open a bank account so you can receive payroll so they can start a job.
This happens all the time, they can’t start the job without an ID, because they need a bank account … like HR needs a bank account, they’ve changed their policy, they won’t pay you cash. They need a bank account. They don’t have a bank account.
Shamir Karkal: Yeah, that’s a huge problem.
Tommy Nicholas: So let’s imagine we told people that, we told people that 10% of Americans would be exempted from a huge class of financial services, just period. And then we also told them it would cost 60 billion dollars in costs to the financial system; which, I think is great for me, but I don’t think Congress would have been thrilled with that, and I don’t think lobbyists would’ve been thrilled with it.
And then you also told them that it’s stated goals, and we catch only 1% of terrorists financing, and we could … It’s possible that it stopped the growth of terrorist financing and some other things; but, it would only catch 1% of money laundering.
I think people would have said … or at least hope people would have said, “Well that doesn’t sound very great. I’m not sure we should pass this law. I think maybe we should do something else.
Shamir Karkal: It’s possible. You end up with all the sort of story of financial regulation of it all; it’s like, it’s always valued tender at the start but it doesn’t necessarily end up in the best place.
I think the study that I saw, estimated that banks globally, captured between 0.2 and 0.4% of the overall money laundering that was going through their systems. At the upper end of the estimate was less than half a percent.
And that seems crazy. You’re like, “Wait, banks catch tens of billions of dollars of money laundering every year,” and then every now and then you have something like the Danske Bank case in Europe where one branch in one country was laundering hundreds of billions of dollars and you’re like, “Oh, wow!” So there must be a lot more happening that is never caught at all. And sadly the system doesn’t nearly catch as much as it should. And I believe it could if it was better built.
But that’s a topic for another day. Right now, I think the question that is interesting is, we all have to live with he laws that are out there, at the moment at least; and, how do you actually do KYC in the US? And how can you do it so that it is done well; especially online, when you are trying to build an app or a startup, or whatever you … you have an idea, and you’re suddenly like, “Wait, I need to do KYC? What is this KYC? How do I do it? And what are the do’s and dont’s? The good ways of doing it versus the bad ways?”
Tommy Nicholas: So we’re 27 minutes into a webinar about how to do KYC and we’re actually going address the question, so I think we’re right on time.
I think that’s our fault for having too much to say to each other. We should have gotten our talking to each other out … Offline.
No, but this has been good and I think I can answer with a couple of ideas. There’s kind of two parts to what people call KYC, and I think it’s good to consider it all one thing; which is, well people call a CIP, a Customer Identification Program. Sometimes they mean that as separate from some of these other topics, but you just think of everything you do as identifying and deciding whether you can do business with the customer as one thing. And i think that helps.
So, the ways that you can satisfy the different parts of what it takes to identify customers online; the first is to use what’s called a “Fully Non-Documentary Approach” which just means taking the customers information … and again it’s going to be a minimum of name, address, date of birth, and then you’re going to have a series of options; but et’s just go ahead and say: SSN. It’s going to be those four things, and then you probably want to take in phone number and email address as well, for reasons I’ll get to. And you’re going to take that information, and you’re going to run it through a series of third-party databases which can try to verify each of those pieces of information.
That can be things like: the telephone companies, public records data, credit bureau data, government records data, a few other things. And you’re just looking to make sure you can verify each of those four things. That the address belongs to the person, that the SSN belongs to the person, that the person exists; and a series of other things.
And, as written, it is possible, to just do that; get all that information, verify it or even not get some of it verified if you feel confident that it is probably is right, or is quite likely right, and then to make a risk assessment about how likely this is to be somebody who’s committing fraud or is a bot or something like that. Which you could do using bot detection software, which you could do using the attributes that are provided and try to pull as much data on those attributes as you can, see if the email address that’s provided looks like it’s deliverable and probably belongs to the person. Same with the phone number. Maybe you do two-factor authentication, to those devices and to the email. And you get to a point where you say, “We’re confident enough, that this is the person who they say they are, and that we verified enough of this information, that we can now give this persona an account; assuming, that they’re not likely to be on any terrorist watch lists or other things,” which again, is a database call that you can make.
That’s the ideal situation. It’s that the customer basically tells you who they are. They hit submit on the application and they get verified yes or no. The issue with that, is that … there’s two issues with that, that will come up. The only issue that is real, is that it’s hard for people to get their head around how you really verify this person is who they say they are, when they just provided you some information.
I can get into how I actually believe that is possible; for example, what if somebody stole that information and provided it to you, how are you authenticating [inaudible] this way. I hinted at [inaudible] could do that, but how is that true?
What a lot of folks will want you to do is ask like out of wallet questions; so, ask the person after they’ve submitted you that information, say it back to them, “Okay, before we give you this account, I’m going to ask you some surprise questions that you might not have known ahead of time: Which of these five addresses did you live at as a child? Which on of these people is your uncle? Things like that, and we’re going to give you 90 seconds to answer them and if you can answer them correctly you’re fine.”
A lot of compliance officers and a lot of people, just broadly will just take the idea that you would just take in the customers information and say, “Oh, they must be who they say they are,” as just like a fundamentally bad idea. It is kind of a fundamentally bad idea, unless you’re really good at it.
So, that’s one of the problems. If you’re really good at it, it’s a really good idea. If you’re really bad at it, it’s a really bad idea.
The other thing is that, traditionally, I mean it’s sort of … the BSA is written for having pictures of drivers license and passports. The way it’s written is assuming that you’re in a branch and you’re going to hand over your ID, somebody is going to scan it, they’re going to look at it. They’re going to make sure it looks like a real … They’re going to document the information on it, and off you go.
So, a lot of folks, what they want to do is they want to do that online. Take a picture of your ID, we’re going try to keep it on file, we’re going to try to verify that it’s real and that causes a ton of friction for the customer, they might not have their ID on them. What if they don’t take a good enough picture? What if the picture is blurry? What if you try to use machine learning to verify that picture and it verifies it incorrectly; which is mostly what happens. How are you going to verify all these ideas? And then by the way, now you’ve got a picture of an ID, and a picture is not data, right?
So if you want to re-run that customer through like terrorist watch lists a year from now to see if they’re on terrorist watch list, now you can’t run the picture, right? You need the data: remember, you need the name, address, date of birth, and social. So, we haven’t exempted ourselves from asking for that information, and now in fact we’ve just created this new type of information that we need to ask.
So, the easiest way to think about this is like, you need to have this information, you need to authenticate the customer, and you need to document that you’ve done all of this. And the best way to do that, is the way that is hardest for compliance officers and various other people to get their heads around. Which is just take the information and make like a really sophisticated risk based decision, and authenticate them in some smart ways using two-factor authentications and various other things.
And the worst way to do this, is the easiest way to get your head around; which is, let’s scan physical documents and say that that’s sufficient. So you end up in this world where, the ways … there’s kind of three layers of ways to do this. And the two worst ones are the ones that people gravitate towards the most. And the best one, because it’s the hardest, but it is super doable; but the best one, is the one that people shy away from because it’s the hardest to explain … It’s actually documented that you are allowed to do this, but it just probably didn’t work before, and now it does and so that’s why you end up I think with a lot of confusion internally at companies trying to do KYC. It’s why you end up with a lot of confusion for users, about why they’re being asked to do certain things. That’s why you end up with frustrating, largely non-automated identity experiences when you’re setting up for financial products.
Shamir Karkal: Okay, so hold that thought because I’m like … well, given that there have been a bunch of [inaudible] especially kind of the [inaudible] briefs from a year ago; it feels like every scammer out there, probably has [inaudible] for, pretty much every American on file, and then probably you can buy them on Eastern European websites for like 50 bucks.
What do you need to do in addition to asking for that information? You need to keep that information on file. It’s what basically the BSA and every act since then kind of mandates. How do you make sure that it’s not just a bot written against your website that’s creating like 5,000 accounts and then using that to funnel money … And Tommy, I am going to ask Laura that question because she hasn’t spoken at all, and I want to be sure …
Laura Spiekerman: Can I add a couple things from what Tommy was saying before, to you?
Shamir Karkal: Yes. Please.
Laura Spiekerman: The other things I think, like there’s sort of the elements of what should you do, or what shouldn’t you do, right? So Tommy described sort of different ways of doing it. I think there’s also like, what are the qualities you want your system to have regardless of how you do it?
And to me, one of those is you have to be able to have it be flexible. So, in this scenario you just described, but also like … there are going to be things outside of your control that will change, whether that’s breaches that happen. Whether that’s regulatory changes that come down the pike. Whether that’s even internal things like we’re launching a new product and that may have a new demographic, a new set of requirements. A new onboarding process. Whatever that is, you want to consider not only what are the elements that go into the onboarding process or the KYC process, but also how do you want that system to react?
So do you want it to be real time? Do you want it to be flexible? Obviously, the answer from our perspective to those is yes and yes. Do you want to future-proof it, right? Do you want to build it so that you don’t have to re-do everything in a year?
So those are the elements that are really important besides just like what are the individual things that go into this. The scenario you describe, which I think is absolutely true and top of mind for, both FinTech companies and established financial institutions is like, what do you do when it feels like every single identity is kind of out there, and we take the approach that you should start with that assumption and kind of work backwards from there.
One of the really important elements that has gone into our experiences, is kind of that velocity piece. For instance, you should be tracking … It shouldn’t be static. You should be backwards looking. So, this is not just an identity that looks good today, right now at this exact moment. But how many times has that bank account come to me before? Are there consortiums out there that are kind of tracking this IP address or this device, with some level of certainty that I can say, “This is probably bad, if they’ve applied for five different accounts in the last 24 hours. That looks bad.”
And those pieces are the pieces you have to have some sort of historical view, not just point in time, this looks good; because that identity would check all the boxes, right? You would pass them if you weren’t looking outside of that narrow, moment.
Tommy Nicholas: I think a good way to … the way that we think about it is … and I hope I didn’t imply something that I didn’t mean, which is like, just take in the name, SSN, address and date of birth and see if it matches some external databases.
That’s kind of what I meant by like, if you do it badly it doesn’t work at all, because that information has all been hacked, right? So that’s just ten cents on the dark web, everybody’s address, history, date of birth, SSN and name. But it actually turns out to be super hard for fraudsters to take advantage of that at scale without giving themselves away.
So, Laura hinted at a couple of those, right? Which is velocity, they’ll be hammering institutions around the country with the same identities trying to get accounts and you can use velocity as a characteristic, and there’s a whole bunch of consortiums you can tap into to get that.
Behavior, so bots behave like bots, so you can detect that. But even if it’s not bots, fraudsters behave like fraudsters, they’re spoofing their browser language, they’re spoofing all sorts of elements about the devices that they’re using.
The third is that they’re coming from foreign countries and so what they’re going to have a really big challenge doing, is having enough real looking cell phones, deliverable email addresses and other sorts of things like that. And so if you ensure that they actually have access to the email addresses they’re providing, via two-factor and access to the phone they’re providing via two-factor, then that now … you’ve raised the bar astronomically for what they have to do.
Now they don’t just have to buy an identity for ten cents on the internet; they need to buy an identity for ten cents on the internet, they need to establish a deliverable email that doesn’t look like a fraudsters email address. They have to establish a history with that email address. Then they have to get a phone and they have to only use all of that to commit fraud one time. It’s a similar concept as to why the Bitcoin network is secure; because like, the Bitcoin network is secure because the bar to double spend a Bitcoin … You can double spend a Bitcoin if you have a billion dollars, there’s a way to do it; but, the reward is so low and the cost is so high, that nobody will ever do it, and if they do it doesn’t matter because it will only ever happen once.
So, if you basically create a scenario in which a fraudster has got to get everything right to not look like a fraudster, but that a good person would just look like a normal person. The bar for a good person to look like a good person is very low, but for a fraudster to not look like a fraudster, the bar is very high.
Then you start to get to a point where you’re within a couple of percentage points that you’ll catch based on behavior down the road. And I actually think the future of this is actually to treat KYC as a lifecycle thing … not meaning like sanction screening. That’s something people already do. People already keep re-screening their customers to see if they’ve ended up on the OFAC list.
What I mean is to make the bar super high for fraudsters and super low for good customers, but then reassess that based on what they do, right? Based on how they behave after they … You send them a card and they’re very first … They looked good. They somehow passed the bar, but their very first payment was a $10,000 wire transfer at a MoneyGram in a Walmart. All right, well it’s probably a fraudster.
I think like, from what we’ve seen, you can pretty much without burdening good users, you can pretty much get to a point where you can assess this holistically and get it right almost all of the time. But you have to do this really hard thing, which is you have to bring all this data in and you have to put it in a system that actually gets it right, and then you have to keep updating it after the customer has the account, and it’s a hard task and so I get why people don’t do it, but I really do think that is the future versus burdening the user, versus burdening the customer with, a higher bar to pass, which is not what we should be doing.
Laura Spiekerman: You alluded to this earlier, but I think the good news/bad news is like the … bad news for the regulatory system is that, just checking the boxes to make them happy on paper, is like so ineffective. The good news for FinTech companies, banks, whoever out there is that, there is a business case fighting fraud and fighting losses associated with fraud to doing all this other stuff as Tommy is talking about.
And so, doing that actually makes you much , much more effective on the fraud front but also on truly knowing your customer, right? And actually fighting money laundering, it just isn’t written anywhere that you have to do that or that you should do that. And that’s sort of the piece where we have to … like we’re far ahead. Not we, but the people who are probably on here, and that we talk to every day, are much further ahead then kind of the regulators on this front.
Shamir Karkal: So, if I can sort of recap all of that a little bit, because we only have about 15 minutes or so left.
You do need to do KYC. It is the law. And if you are doing anything in FinTech, it is almost certain that you need to KYC. The kind of bad way to do KYC would be to do it once, upfront and just ignore the … just take five fields of information, whatever. But if I check against a background database, and that’s collect good, you’re almost sort of going to end up with fraudsters at some point, if you get to scale and if you’re doing something that’s a factor for fraudsters to hack, they will.
And this brings on an interesting sort of dichotomy, right? As you said, even in any app or service out there, at least 80% if not 95, 99% of people who lied on that Apple services website and tried to sign up and go to the KYC flow, are likely good people. The vast majority of people on the site are good, ordinary human beings. They may not all be great customers, but that’s a product market question.
And so, the whole trick to figuring out KYC and doing it as … like you have to regulate for requirement, that you do need to keep these fields of data. There’s some flexibility there, you know maybe if you’ve got drivers license or Social Security number, whatever. But you do need to hold those basic fields of information at the same time, you want to actually make it really easy for the 95% of good people to get through that system and get … because you want to make for product market reasons you want to make the product as frictionless and as easy to use as possible.
But then on the other hand, for both regulatory and especially for fraud reasons you probably end up losing money to fraudsters. You want to make that 5 or 1% of bad actors and you want to make it really hard for them to get through the system; and the ways to do that, may not have anything to do with the five fields of information. The fraudsters may actually have those five fields of information better than the 95% of good people.
I may have just recently moved, and may not be able to verify my new address. Actually I just recently moved; but anyway, the fraudster might have all my six historical addresses in the US perfectly on file and be able to come up with that. And the ways to kind of separate that, might not have to do with address, it might have to do with things like IP address. It might have to do with email verification, it might have to do with phone verification. Phone location. It might have to do with browser user agent. And velocity controls, and consortium checks.
So, a whole host of things which is easy for somebody … I’m in the US, I have my phone, it’s connected to a local site here and the user agent would say it’s an Android phone and it will all check out. But it might not check out for the fraudster who is trying to kind of imitate me and try to hack my account from wherever outside the US.
So, that’s a way of sorting separating it and making it very hard for fraudsters while making it really hard for good people. One of the things that you kind of hit on a little bit here, is that the regulatory system is sort of set up to think of as your identity is verified or not, right?
If you go through KYC, somebody took your drivers license, looked at it, looked at you, you’re good to go and now you’re in the system. And historically a bank doing that in a branch, would come back and never do it again.
But the online way of doing it, is trying to verify the licensing fir it, somebody could always put on Mission Impossible face masks and spoof any face they wanted, maybe. But now of course with online you have like deep fakes which you can re-create anybody’s face, or video and it’s not really that much to it at all.
So those sorts of systems can be beat. What is maybe harder to do is actually beat the sort of the separation that we just talked about. But it is true that you can … it is not a verified or not verified. It’s like what is the probability of this individual customer, actually being a real person who is who they claim they are versus not, and you want to set a bar …
Tommy Nicholas: And then what behavior in the future would change our mind?
Shamir Karkal: Exactly.
Tommy Nicholas: What could they do?
Shamir Karkal: Exactly. And initial process, we had up to a 98% certainty that Tommy is Tommy, and that is Tommy sitting in front of that phone where he tried to sign-up, but the moment he starts like sending off wire transfers to Eastern Europe, that probability goes from 98 to maybe 50, right? And we want to freeze those transfers and have a talk with Tommy about that.
But it’s not something that you can do just one time, it is an ongoing basis and it’s a continuous evaluation, but it’s not a zero one. It’s going to be, a probabilistic spectrum. And then once you start thinking about it, the person becomes, if you can verify somebody as not being at that 5% initially, right? That means that if they’re using a US phone, a user agent, browser and email and phone and everything else verifies, they might very well be a US person, with a very high degree of probability, even if you can’t verify their address. Even if you can’t verify their … maybe even their date of birth, or some other field, right?
So you might be able to get to a higher certainty, with those non PII based fields of data, then you might with the PIIs. Especially given that all the PII is no longer private anyway. And by the way, PII is personal identifiable information, it’s like you know your first name, last name, date of birth, social, that sort of stuff.
Tommy Nicholas: Do you use Coinbase? Coinbase has actually done a really interesting thing … You’re doing a crypto thing, you must …
Shamir Karkal: Coinbase, I don’t use it much but you know, I’m signed-up to pretty much every service out there.
Tommy Nicholas: Yeah, as soon as I asked that I was like, “That’s a ridiculous question, of course you have used Coinbase at some point.”
They do actually one of the best … I don’t know their money laundering procedures under the hood, so I don’t know everything about this; but, they do an interesting thing, which is something everyone can totally do, which is they let you sign-up, they make you give the required information, you can opt out of certain parts of the KYC process, adding a funding account, scanning an ID.
And then at some point .. you can buy a $100/200/300 worth of Bitcoin, I forget what it is. And they do a bunch of fraud verification on … like I was just talking about, they’re not just letting anybody on; but they basically say like, heres the bar to do sort of a toothless amount of transactions that might get you interested, it might be all you want to do in the first place, because you’re not somebody with a ton of money so it’s fine.
And then you need to do a bunch of verification on your bank account and then scan an ID which might get manually reviewed by a person which is not great but like they sort of set a higher bar, if you want to become like a real user who can spend thousands of dollars. I’m not saying that they’ve nailed it in every way, but I’m saying that’s actually … they did that in consultation with lawyers and regulators, it’s not like that’s some mind … it’s called risk based … making a risk based decision and then what we call it is risk based authentication.
That’s totally on the table, but you can imagine in the traditional financial system and even in the FinTech world, the amount of engineering that would need to go in tot actually make that a reality, versus Coinbase which is built [inaudible].
Shamir Karkal: But it is good that people are beginning to do that. And by the way, I do think that’s a best practice. When you have that probability function and you say, “Hey, we got to 95% certain that Tommy is Tommy when he signed-up so we gave him access.” But 95 only gets him access to so much, and if he does more things that got him from 95 to 98, and that might just be going out and doing a few card swipes, buying a few Bitcoin or doing whatever the system allows them to do. Kind of in the expected part of users in the system, then we go from 95 and 98 and by the time Tommy actually wants to transfer $50,000 he’s already at 99%, so we let him transfer the $50,000. But if Tommy veers off the straight and narrow and starts doing weird stuff, we actually go from 90 to 85 and then he finds that he can’t spend more then $5 or his box has shrunk to the point where he’s basically frozen in his account and then he might want to call in and ask what the hell is going on, or you might do an outbound call to him and say, “what the hell is going on?”
And then you might add more information and say, “No, Tommy did just sign-up and decide to take a vacation to Eastern Europe. Very few people do that, but somebody did and that’s not impossible.
So those sorts of flexible systems I think are not just the future, they’re state of the art [inaudible] systems now. It’s not surprising that they’re being built by FinTech, especially FinTech who see a lot of fraud. I think that is kind of the best practice.
At this point I haven’t seen any questions in the little box to the right of the screen, so if you guys want to ask any questions, I’m just going to keep going on about this.
So, people want us to keep going on. So Laura, I’m going to ask you: How does good versus bad KYC impact the user experience? And also, you’re a sort of generic FinTech/bank developer; how does that impact your chances of getting to product market [inaudible]
Laura Spiekerman: Yeah, so I think the bad user experience is probably one that people are pretty familiar with, even if they don’t know how or why it’s happening; but, what we see is that, on average … this is kind of across banks and you know … but people who are applying for digital financial service about 50% of the time, they get sent to manual review. Not because they’re bad, not because they’re actually on an OFAC list, but really because you’re not able to verify every piece of information to some degree of certainty. Often address data, as we’ve sort of discussed is the culprit there.
And then I think what we’ve seen is that 80% of people, once sent to manual review, just drop out all together; and so, that I think really is emblematic of that terrible user experience, where you’re just trying to sign-up, you want your account, but once you hit roadblocks where you have to scan documents are email them or call into a contact center it’s sort of just like, forget it.
I think the really bad part is that can happen even at an institution where you already have an account, or they already know who you are. They already know all this information about you and they’re still are putting you through the ringer, I think that’s … I can speak for my personal experience, that’s really frustrating.
And I’ll often just drop out, like similar to you guys, I’ll sign-up to FinTech apps all the time, and if it takes … If something can’t be validated or if I’ve spent more than ten seconds waiting for someone to figure it out I just am like, “Forget it.”
So, I think we see that bad experience all the time. The good experiences are minimal friction, and I don’t think that means not asking people for information, I think people are pretty willing and we’ve seen this SSNs, people are pretty willing to give you their PII if they trust you, when they’re singing-up, but it’s the asking for tons of information that doesn’t seem like it’s applicable, or information you’ve already given them, or information you’ve already given them. Or information that’s not easily accessible that things become problematic.
So much of this information is actually just in your mobile phone or in your head, it shouldn’t be things that are not findable. And I think that a good example there is something like challenge questions, out of all the question which we see are super ineffective, I can’t remember the address I lived at ten years ago. And, or things are super Google-able. So the person who has my information already sitting in front of him will be able to answer that better then I could.
Shamir Karkal: It’s entirely possible that some Eastern European website has all of that information available, going back 2 years for like, whatever, 10 bucks.
Tommy Nicholas: Charles, our CTO, wrote a blog where he decided to try to answer his own out of wallet questions, as if he didn’t know them by using Google, and he was able to.
Shamir Karkal: So that brings up one interesting question that was asked by Ron Sheldon; which is, one of the places where there is a lot of identity information, is operational banks. Each of the large banks, which is Chase … all of them, serve somewhere between 10 and 20 million customers; and, what do you think are the prospects of the banks lodging ID management services similar to what the public record systems have … and maybe going after this identification space, which is only getting bigger.
Tommy Nicholas: I’ve being trying to understand this use case, so I’m not going to throw too much water on the … I’ve being trying to understand this use case, and the best that I can think of is, maybe the way you would want to do it is you would basically want to say … because Capital is the ones doing this so I’ll use that as an example … you’d want to say, “Capital One has a very high bar for figuring out identity because they have to, they can lose a lot money if they get it wrong and they can lose a lot of money if they get it wrong [inaudible] turned everyone away, so you would assume there’s something there.
So maybe if you [inaudible] on a bootstrap off of that, and that’s the use case that I can kind of understand. Or maybe you’re another bank and you might want to bootstrap off of that.
The thing is though, the world in which you’d have to believe that Capital One is the best to do that for other institutions and other governments and stuff, is a world in which you believe that nobody can just learn just the core components of what they’re doing. Or independently figure them out for the same reason they figured it out, right? And build a system that kind of more suits the needs of the enterprise customer and is customizable more to a variety of needs, whereas Capital One does only one set of things. They don’t actually have a one size fits all, they onboard people probabilistically depending on what they are trying to do.
And so, I sort of have to believe that like BBVA or Capital One, or somebody like that is actually well positioned to become like a B2B software company, selling something that was built for an internal use case, and I struggle to understand why that would be good.
What I don’t struggle to understand why that would be good, is if they have their own identity services which feed … and this is what I think both BBVA and Capital One are doing, and this I really like, which feeds into the other things that they do. SO, for example, if you log in with your Capital One account, it can be identity management platform that also syncs up your payment information, so now you’re verified as an e-commerce user, and your card information can be used. Or your rewards points can be used. Or your rewards points can be gained.
Same thing at BBVA, which is being built on an open platform. That’s why I sort of start to see some value from it, yeah and I think Dunno Matter, who will remain anonymous, is I think asking the right question; which is, is this a utility or is it a business? And I think if it’s a business I’d be very embarrassed, but if it’s a utility or it could feed into other utilities I think very interesting, because there is a lot of data out there.
But at the same time, the credit bureaus actually are that utility. The banks do report that information to the credit bureau checks systems to experience trends. It gets into murky territory.
For wrapping this up, I actually have to jump, but if there’s sort of wrapping up to do, I’ll leave. I think Laura can stay on for a few minutes, but this has been really fun.
Shamir Karkal: Thank you Tommy, it definitely has been a lot of fun. I think we could keep going for another hour and now we’re getting a lot of questions. My suggestion, we are on a time limit, we do need to leave. I’m going to thank our lovely speakers. Thank you Tommy. Thank you Laura.
Laura Spiekerman: Thank you.
Shamir Karkal: And by the way, they are on Twitter, and I will post their Twitter handles here. Feel free to harass them on Twitter or maybe even follow them. Or me, for that matter. And if there is enough interest; I think the idea here was to do this as sort of a series and this video will be posted online and available everywhere. But we might do more of this in the future, and try some other formats too.
Thank you guys. Always a pleasure.
Laura Spiekerman: Thank you. Take care.